Over the years, many standards for cybersecurity have been developed in order to provide a framework for addressing the risks that can threaten networks and the data within them. Most of these efforts, however, have more or less been exercises in reporting on compliance, effectively diverting necessary program resources. It wasn't until 2008 that the National Security Agency (NSA) was asked by the Office of the Secretary of Defense (OSD) to help prioritize the many controls available, and began to take action with an "offense must inform defense" approach. While initially a project among government entities led by NSA, the effort expanded through a public-private consortium with the SANS Institute and the Center for Strategic and International Studies (CSIS). The consortium soon expanded to include government entities from the United States and abroad, law enforcement agencies, security service providers, national laboratories, academic institutions, and others.
In 2008, CSIS published the Controls for the first time, based in part the expertise gained through its convening of the Commission on Cybersecurity for the 44th Presidency. This initial draft of the Controls was shared with over 50 IT and security organizations for additional input in 2009. Since that time, the consortium has grown, and the Controls are refined through active involvement of members.